b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Progress Has Been Slow in Implementing\n                       Federal Security Configurations\n                           on Employee Computers\n\n\n\n                                          March 27, 2009\n\n                              Reference Number: 2009-20-055\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                              DEPARTMENT OF THE TREASURY\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             March 27, 2009\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Progress Has Been Slow in Implementing Federal\n                             Security Configurations on Employee Computers (Audit # 200820026)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service (IRS) has made adequate progress in implementing required Federal secure\n configurations on employee computers. This audit was included in the Treasury Inspector\n General for Tax Administration Fiscal Year 2008 Annual Audit Plan and is part of our statutory\n requirement to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n IRS employees use desktop and laptop computers to perform their tax administration duties.\n Because taxpayers expect the IRS to protect their privacy and personal information, the security\n of employee computers is critical. The IRS is attempting to adopt a standard set of Federally\n required computer configuration settings and procedures to improve security and reduce\n operating costs. Although the IRS has taken actions, implementation of the configuration\n settings has been slow and some of the requirements have not been implemented. Without a\n complete set of security configuration settings, the IRS is at risk of business disruption or\n unauthorized access to taxpayers\xe2\x80\x99 personal information.\n\n Synopsis\n The Office of Management and Budget (OMB) required Federal Government agencies that use\n the Windows XP or VISTA1 operating systems to adopt a standard set of configuration settings\n\n 1\n  Windows XP and VISTA are computer operating systems produced by the Microsoft Corporation for use on\n desktop and laptop computers.\n\x0c                                Progress Has Been Slow in Implementing\n                        Federal Security Configurations on Employee Computers\n\n\n\nby February 1, 2008. These configuration settings are referred to as the Federal Desktop Core\nConfiguration (FDCC). The intent of the requirement was to improve security and reduce\noperating costs.\nThe IRS faces many challenges in implementing the FDCC. IRS employees use more than\n98,000 desktop and laptop computers located in approximately 670 facilities throughout the\nnation and operate more than 1,900 software applications, of which approximately 300 were\ninternally developed for specific IRS business processes. As part of the implementation effort,\nthe IRS must test each application to ensure it operates properly with the FDCC.\nThe IRS has made slow progress in implementing the FDCC settings. On October 29, 2008, the\nIRS implemented 102 settings on IRS workstations. However, these FDCC settings were\ninstalled on employee computers 9 months after the deadline set by the OMB for agencies to\ncomplete their FDCC implementation efforts. As of December 11, 2008, the IRS had\nimplemented 205 (81 percent) of the 254 FDCC settings.\nThe delay in implementing the FDCC was primarily due to the untimely creation of a project\nteam responsible for the FDCC implementation. The OMB issued the FDCC directive in\nMarch 2007. However, the IRS did not establish a project team until January 2008, 10 months\nafter the OMB issued the directive and 1 week before the deadline for completing the FDCC\nimplementation. The untimely creation of the project team occurred because some IRS officials\nmistakenly assumed the IRS\xe2\x80\x99 current common operating environment2 was compliant with the\nFDCC.\nWe also found that, once the project team was established, the project leaders did not follow\nsome basic project management practices while testing software applications for FDCC\ncompatibility. The master control list used by the project leaders was incomplete and did not\naccount for many applications that needed to be tested. The discovery of 92 applications after\nthe 2-week testing phase required project leaders to initiate additional testing. In addition, the\nWork Breakdown Structure3 developed for the project lacked critical tasks that were needed to\naccomplish the project\xe2\x80\x99s objectives. When basic project management practices are not followed,\nthe risk of business disruption increases. As an illustration, when the IRS implemented its first\nset of FDCC settings, one critical application, which was not tested, began experiencing\nproblems and could have had severe consequences if the IRS had been unable to reverse the\nsettings.\n\n\n\n2\n  To ensure consistency across the IRS network and improve security, the IRS created the common operating\nenvironment, which is a standardized set of commercial off-the-shelf and internally developed applications to\nsupport the needs of all IRS employees using Microsoft Windows. The common operating environment also allows\nthe IRS to control security configuration settings and software on its workstations by changing one master template\nand then installing it on all computer workstations throughout the agency.\n3\n  A deliverable-oriented grouping of project elements that organizes and defines the total scope of the project.\n                                                                                                                  2\n\x0c                            Progress Has Been Slow in Implementing\n                    Federal Security Configurations on Employee Computers\n\n\n\nThe IRS also has not implemented some of the OMB\xe2\x80\x99s other FDCC mandates. An automated\nmonitoring tool to detect and monitor changes to the FDCC settings after they are installed on\nemployees\xe2\x80\x99 workstations has not been implemented. In addition, the IRS has not modified its\nsoftware contracts to ensure software acquisitions operate properly with the FDCC settings. We\nidentified 27 of 30 contracts for new software products that did not include the required FDCC\ncontract language.\n\nRecommendations\nTo ensure that basic project management practices are followed and OMB mandates are\nimplemented, the Chief Technology Officer should 1) provide training to the FDCC project\nmanagers to ensure their project management skills and qualifications are sufficient, 2) instruct\nthe project leaders to develop and maintain an accurate control list of applications that require\ntesting, 3) conduct an analysis and consider the feasibility of acquiring a monitoring tool from\nthe General Services Administration\xe2\x80\x99s blanket purchase agreement, and 4) direct the\nCybersecurity office to coordinate with the Procurement Division and prioritize the work\nnecessary to include the required FDCC contract language in information technology\nacquisitions.\n\nResponse\nIRS management agreed with the recommendations. The IRS will provide project management\ntraining for the FDCC project managers and ensure the master control list of applications is\nmaintained and updated. The Chief Technology Officer will conduct a cost-benefit analysis to\ndetermine whether the purchase of a separate monitoring tool from the General Services\nAdministration\xe2\x80\x99s SmartBuy Program is in the IRS\xe2\x80\x99 best interest. Finally, the IRS plans to issue\nan agency-wide policy and interim acquisition procedures that will incorporate the FDCC\ncontract language in information technology acquisitions. Management\xe2\x80\x99s complete response to\nthe draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n\n\n\n                                                                                                    3\n\x0c                                   Progress Has Been Slow in Implementing\n                            Federal Security Configurations on Employee Computers\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Actions Have Been Taken to Implement the Federal Desktop\n          Core Configuration Settings .........................................................................Page 3\n          A Project Team Was Not Established in a Timely Manner to\n          Effectively Comply With the Office of Management and Budget\n          Deadline ........................................................................................................Page 4\n          Some Basic Project Management Practices Were Not Followed .................Page 4\n                    Recommendations 1 and 2: ..............................................Page 8\n\n          An Automated Monitoring Tool Was Not Implemented to Detect\n          Changes to Workstation Security Settings....................................................Page 9\n                    Recommendation 3:........................................................Page 10\n\n          Software Contracts Were Not Modified to Ensure Software\n          Acquisitions Operate Properly With Federal Desktop Core\n          Configuration Settings ..................................................................................Page 11\n                    Recommendation 4:........................................................Page 12\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 16\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 17\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 18\n\x0c              Progress Has Been Slow in Implementing\n       Federal Security Configurations on Employee Computers\n\n\n\n\n                   Abbreviations\n\nFDCC         Federal Desktop Core Configuration\nIRS          Internal Revenue Service\nOMB          Office of Management and Budget\n\x0c                              Progress Has Been Slow in Implementing\n                       Federal Security Configurations on Employee Computers\n\n\n\n\n                                            Background\n\nInternal Revenue Service (IRS) employees use desktop and laptop computers to perform their tax\nadministration duties. Because taxpayers expect the IRS to protect their privacy and personal\ninformation, the security of employee computers is critical. Without a complete set of security\nconfiguration settings for employee workstations, the IRS is at risk of business disruption or\nunauthorized access to taxpayers\xe2\x80\x99 personal information.\nIn March 2007, the Office of Management and Budget (OMB) required1 Federal Government\nagencies that use the Windows XP or VISTA2 computer operating systems to adopt a standard\nset of configuration settings. The intent of the requirement was to improve security and reduce\noperating costs. The configuration settings were developed by the National Institute of Standards\nand Technology,3 the Department of Defense, and the Department of Homeland Security and are\nreferred to as the Federal Desktop Core Configuration (FDCC). The OMB required that all\nagencies adopt the FDCC by February 1, 2008. The National Institute of Standards and\nTechnology published the first set of FDCC settings in July 2007. This first set included\n229 mandatory security settings and an additional 329 configuration settings that are\nrecommended to improve security and reduce risks and costs associated with software\nvulnerabilities.\nIn addition to implementing the FDCC settings, the OMB required4 agencies to ensure that\nsoftware acquisitions operate properly with the FDCC settings. Agencies are required to\nincorporate specific language in solicitations for new software and require vendors to certify that\ntheir products operate effectively using the configurations. The Federal Acquisition Regulation5\nwas also revised to require agencies to include the FDCC requirement in contracts.\nThe IRS faces many challenges in implementing the FDCC settings. IRS employees use more\nthan 98,000 desktop and laptop computers located in approximately 670 facilities throughout the\n\n\n1\n  OMB Memorandum M-07-11, Implementation of Commonly Accepted Security Configurations for Windows\nOperating Systems, dated March 22, 2007.\n2\n  Windows XP and VISTA are computer operating systems produced by the Microsoft Corporation for use on\ndesktop and laptop computers.\n3\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n4\n  OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations, dated\nJune 1, 2007.\n5\n  The Federal Acquisition Regulation is the principal set of rules in the Federal Acquisition Regulations System.\nThis System consists of regulations issued by Federal Government agencies to govern the \xe2\x80\x9cacquisition process,\xe2\x80\x9d\nwhich is the process through which the Federal Government purchases goods and services.\n                                                                                                         Page 1\n\x0c                               Progress Has Been Slow in Implementing\n                        Federal Security Configurations on Employee Computers\n\n\n\nnation and operate more than 1,900 software applications, of which approximately 300 were\ninternally developed for specific IRS business processes. As part of the implementation effort,\nthe IRS must test each application to ensure the applications operate properly with the FDCC\nsettings.\nOther Federal Government agencies have also encountered significant challenges in\nimplementing the FDCC. During a January 2008 conference with the OMB, one agency\nrepresentative stated that the FDCC settings would \xe2\x80\x9cbreak their systems.\xe2\x80\x9d Another agency\nrepresentative made similar remarks by stating that it would not be compliant with the FDCC\nbecause a number of the settings caused problems on their computer systems.\nAfter installing the FDCC on desktop and laptop computers, the IRS also faces challenges\nregarding how to maintain the settings because system administrators throughout the IRS have\nthe ability to change the settings on employee computers. To address these challenges, the OMB\nand the Department of the Treasury directed6 the IRS to implement an automated tool to check\nthat security configurations are continually maintained on computer workstations.\nWe focused our review on the FDCC settings that were tested and installed by the IRS project\nteam led by officials in the Modernization and Information Technology Services Division\xe2\x80\x99s\nCybersecurity office and the End User Equipment and Services organization, which manages\nmore than 91 percent of the desktop and laptop computers used by the IRS. This review was\nperformed in the Modernization and Information Technology Services Division office in\nNew Carrollton, Maryland; the Martinsburg Computing Center in Martinsburg, West Virginia;\nand the IRS Procurement offices in Oxon Hill, Maryland, during the period June through\nDecember 2008. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n6\n    Treasury Memorandum TCIO M 08-01, Enhanced Cyber Security Controls, dated December 20, 2007.\n                                                                                                   Page 2\n\x0c                               Progress Has Been Slow in Implementing\n                        Federal Security Configurations on Employee Computers\n\n\n\n\n                                      Results of Review\n\nWhile the IRS has taken some actions to implement the FDCC, the progress has been slow and\nsome of the security settings have not yet been implemented. The primary reason for the slow\nprogress was due to the IRS not timely creating a project team to implement the FDCC. Once\nestablished, the project team did not follow basic project management practices. In addition, the\nIRS has not implemented an automated tool to detect and monitor changes to the FDCC settings\nafter they are implemented on IRS workstations, and it did not revise the language in its software\ncontracts to ensure new software products operate properly with the FDCC.\n\nActions Have Been Taken to Implement the Federal Desktop Core\nConfiguration Settings\nThe IRS has taken actions to implement some of the FDCC settings. Specifically:\n    \xe2\x80\xa2   The IRS updated its internal procedures to include the FDCC settings applicable to the\n        Windows XP operating system.\n    \xe2\x80\xa2   The IRS selected 50 other settings, in addition to the 229 mandated security settings\n        recommended by the National Institute for Standards and Technology, to implement in\n        the IRS common operating environment.7\n    \xe2\x80\xa2   The IRS had implemented 103 (41 percent) of the 2548 FDCC settings in its common\n        operating environment prior to the start of the FDCC project. This effort provided a solid\n        foundation to start the implementation activities.\n    \xe2\x80\xa2   The project team improved its test methodology after consulting with the Microsoft\n        Corporation. The new test methodology allowed the IRS to test applications in the users\xe2\x80\x99\n        work environments with employees from each business operating division. The testers\n        were assigned to support the FDCC effort due to their knowledge of the applications.\n        This approach allowed the project team to gain support from the business units and\n        increase the number of testers.\n\n\n7\n  To ensure consistency across the IRS network and improve security, the IRS created the common operating\nenvironment, which is a standardized set of commercial off-the-shelf and internally developed applications to\nsupport the needs of all IRS employees using Microsoft Windows. The common operating environment also allows\nthe IRS to control security configuration settings and software on its workstations by changing one master template\nand then installing it on all computer workstations throughout the agency.\n8\n  Because 25 of the 229 settings relate to the VISTA operating system, which the IRS does not operate, the actual\nnumber of FDCC settings the IRS plans to implement is 254 (229 + 50 \xe2\x80\x93 25 = 254).\n                                                                                                           Page 3\n\x0c                           Progress Has Been Slow in Implementing\n                    Federal Security Configurations on Employee Computers\n\n\n\n   \xe2\x80\xa2   On October 29, 2008, the IRS implemented 102 FDCC settings. Combining this effort\n       with the settings already implemented on its common operating environment, the IRS\n       implemented 205 (81 percent) of the 254 settings required on IRS workstation and laptop\n       computers. However, this progress occurred 9 months after the OMB deadline and, as of\n       December 11, 2008, several of the 229 mandatory settings were still not implemented.\nManagement Actions: Subsequent to the completion of our fieldwork, the IRS advised us that it\nimplemented 13 additional FDCC settings on IRS workstations and laptop computers. In\naddition, the IRS classified eight settings as corporate deviations, which indicates the setting\ncannot be implemented because doing so would adversely impact an application.\n\nA Project Team Was Not Established in a Timely Manner to Effectively\nComply With the Office of Management and Budget Deadline\nDespite the actions previously discussed, overall efforts toward implementing FDCC settings on\nIRS computers have been slow. The IRS Modernization and Information Technology Services\nDivision should have established an FDCC project team to assess the scope of work that was\nneeded to implement the FDCC in a timely manner soon after the OMB issued its FDCC\ndirective in March 2007. However, the IRS waited until January 2008, 10 months after the OMB\nmemorandum was issued and 1 week before the February 1, 2008, OMB deadline established for\nimplementing the FDCC.\nIn October 2007, the Associate Chief Information Officer, Cybersecurity, sent an email to IRS\nexecutives advising them to consider the implications of the OMB requirement. However,\nactions to establish a team were not taken timely because some IRS officials assumed the\nexisting common operating environment was compliant with the FDCC requirements. The IRS\nEnd User Equipment and Services organization did not learn of the OMB requirement until\nOctober 2007, at which time it discussed the requirement with the Microsoft Corporation.\nDuring this meeting, the magnitude and complexity of implementing the FDCC settings was\nrealized. However, the IRS waited an additional 3 months before appointing a project leader.\nThe delay in establishing a project team was the primary reason the IRS was untimely in\ncomplying with the FDCC requirement, possibly resulting in inadequate security over taxpayer\ndata and computer operations. However, we did not assess the effect of the untimely\nimplementation and did not identify any security breaches as a result of untimely and incomplete\nimplementation of FDCC settings on IRS computers.\n\nSome Basic Project Management Practices Were Not Followed\nIn addition to the delay in assembling a project team to lead the FDCC implementation efforts,\nthe IRS did not follow some basic project management practices. Project management is the\napplication of knowledge, skills, tools, and techniques to project activities to ensure a project\n\n                                                                                            Page 4\n\x0c                               Progress Has Been Slow in Implementing\n                        Federal Security Configurations on Employee Computers\n\n\n\nmeets its goals. In general, project management can be broken down into the processes of\nplanning, executing, monitoring, controlling, and closing a project. The project manager is the\nperson responsible for accomplishing the project objectives.\nThe Guide to the Project Management Body of Knowledge9 states that the project manager\nshould maintain an accurate and timely information base. Continuous monitoring provides\ninsight into the health of a project and identifies areas that require special attention. The project\nmanager should maintain a complete master control list of applications throughout the test phase\nto monitor and control the testing. This basic project management practice allows the project\nleader to ensure that all applications identified in the planning phase are actually tested and that\nthe test results are monitored for each application. The project manager should also develop and\nmaintain a Work Breakdown Structure10 to plan and manage the tasks necessary to accomplish\nthe project\xe2\x80\x99s objectives.\n\nInadequate controls resulted in some applications not being tested\nThe FDCC project leaders tested IRS applications to ensure that they would properly operate\nwith the FDCC settings. However, they did not control and account for all applications that\nneeded to be tested. The master control list of applications used by the project leaders was\nincomplete and did not account for many applications. In addition, the project leaders did not\nupdate the master control list with test results to monitor the testing for each application and\nensure that all applications were tested.\nThe project leaders coordinated with the Modernization and Information Technology Services\nDivision\xe2\x80\x99s Applications Development organization after completing a 2-week testing exercise on\nSeptember 16, 2008, and discovered 92 applications that were not accounted for on the master\ncontrol list. The discovery of the 92 applications required the project leaders to conduct\nadditional testing to ensure the applications would properly operate with the FDCC settings.\nExamples of omitted applications included the:\n    \xe2\x80\xa2   Electronic Installment Agreement Project. This application offers taxpayers the\n        ability to establish streamlined payment agreements over the Internet. It allows taxpayers\n        or authorized representatives (Power of Attorney) to self-qualify, apply for an installment\n        agreement, and receive online approval notification.\n    \xe2\x80\xa2   Enterprise Logistics Information Technology. This application is an integrated,\n        web-based, real-time supply chain execution system used by the Accounts Management\n        and Compliance Services Processing organizations to receive, store, manage, and\n        distribute IRS tax forms.\n\n9\n  Published in 2004 by the Project Management Institute, it is an internationally recognized standard that provides\nthe fundamentals of project management as they apply to a wide range of projects, including software development.\n10\n   A deliverable-oriented grouping of project elements that organizes and defines the total scope of the project.\n                                                                                                            Page 5\n\x0c                             Progress Has Been Slow in Implementing\n                      Federal Security Configurations on Employee Computers\n\n\n\nThe project leaders also did not use sources available to them to complete their master control\nlist of applications. The list was developed based on applications submitted by volunteer testers\nand applications designated as important by IRS business units. However, other sources were\navailable such as the list of applications the IRS reports to the OMB as part of the annual Federal\nInformation Security Management Act11 compliance reporting process. This list contained\n29 applications that were not accounted for on the project leaders\xe2\x80\x99 master control list. When we\nprovided the names of the 29 applications to the project leaders, they delayed the implementation\nof the FDCC settings to ensure the applications were tested. They found that 8 applications had\nnot been tested and 21 applications were tested but were not accounted for on the master control\nlist. Examples of missing applications from this source included the:\n     \xe2\x80\xa2   Integrated Collection System. This application provides workload management, case\n         assignment/tracking, inventory control, electronic mail, and case analysis tools to support\n         the Small Business/Self-Employed Division collection fieldwork.\n     \xe2\x80\xa2   Tip Database. This application is used by the Small Business/Self-Employed Division\n         to store all tip rate agreement data for casinos. The Tip Database helps to quickly and\n         more accurately identify nonfilers or tip income underreporters by eliminating errors\n         from a previously manual process.\nAnother source available to the project leaders was the inventory of new applications maintained\nby the Workstation Standards office, which is part of the End User and Equipment Services\norganization within the Modernization and Information Technology Services Division. We\ndetermined that five applications, acquired between January 22 and October 10, 2008, were\ninstalled in the IRS operating environment without being tested for compatibility with the FDCC\nsettings. The project leaders believed the Workstations Standards office was responsible for\ntesting new software applications against the FDCC settings. However, the Workstation\nStandards office tested the new applications for compatibility with the IRS\xe2\x80\x99 current common\noperating environment image, which did not include the new FDCC settings.\nIn addition to not maintaining a complete master control list of applications, the project leaders\ndid not account for the applications\xe2\x80\x99 test results on the master control list. The test results for\neach application should have been accounted for and recorded on the master control list to\nmonitor test results and ensure each application was tested. The project leaders relied on the\nvolunteer testers to test the applications that they use in their normal workday and to prepare a\nhelpdesk ticket if they found a problem. The testers were also asked to record their test results\non spreadsheets. However, the results from the testers\xe2\x80\x99 spreadsheets were not recorded on the\nmaster control list to ensure that all applications were tested.\n\n\n\n11\n  The Federal Information Security Management Act is part of the E-Government Act of 2002,\nPub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                              Page 6\n\x0c                              Progress Has Been Slow in Implementing\n                       Federal Security Configurations on Employee Computers\n\n\n\nThe risk of business disruption increases when the control and monitoring over testing are\ninadequate. This risk was realized after the project team installed the first group of FDCC\nsettings on October 29, 2008. Within a few days, the\nFinancial Management Secure Payment System, a\n                                                                A critical application used to\ncritical application, began to experience problems. The          certify tax refunds began to\napplication, which is used to certify tax refunds, was not    experience major problems after\ntested. The IRS must pay significant penalties when it is      the IRS installed the first group\nunable to timely certify refund checks. In this instance,              of FDCC settings.\nthe IRS avoided paying penalties because the project\nteam was able to reverse the FDCC settings from the\ncomputers of employees who use the application. However, the incident highlights the risk of\nnot maintaining a complete master control list of applications and ensuring that all applications\nare tested.\n\nThe Work Breakdown Structure was inadequate to plan and manage the FDCC\nproject\nThe Work Breakdown Structure developed by the project leaders lacked critical tasks that were\nneeded to accomplish the project\xe2\x80\x99s objectives. Examples of the tasks include:\n     \xe2\x80\xa2   Conduct a gap analysis to identify missing applications.\n     \xe2\x80\xa2   Develop and maintain a master control inventory of applications and test results.\n     \xe2\x80\xa2   Develop a \xe2\x80\x9croll-back\xe2\x80\x9d plan in the event that a need arises to reverse the FDCC settings from\n         IRS workstations.\n     \xe2\x80\xa2   Develop presentations and present status report briefings to stakeholders and oversight\n         agencies such as IRS executives, the OMB, the Department of the Treasury, and the\n         Treasury Inspector General for Tax Administration.\n     \xe2\x80\xa2   Coordinate with the IRS project that is planning to replace all IRS laptop and desktop\n         computers.\nSome of the critical work and activities were included in the Work Breakdown Structure.\nHowever, the work and activities were described at a high level. Several activities lacked\ndetailed descriptions and delineation. The Project Management Institute defines a Work\nBreakdown Structure as a deliverable-oriented hierarchical decomposition of the work to be\nexecuted by the project team to accomplish the objectives and create the required deliverables.12\nEach descending level represents an increasingly detailed definition of the project work.\n\n\n\n12\n  The Project Management Institute book entitled Practice Standard for Work Breakdown Structures, Second\nEdition, 2006, provides guidance on the creation of a Work Breakdown Structure.\n                                                                                                      Page 7\n\x0c                            Progress Has Been Slow in Implementing\n                     Federal Security Configurations on Employee Computers\n\n\n\nThe Work Breakdown Structure also lacked a critical path, which is the sequence of activities\nthat must be completed on schedule for the entire project to be completed on schedule. A critical\npath allows the project manager to identify and calculate the effect of delays and manage the\ninevitable challenges that occur on all large complex projects.\nA Work Breakdown Structure that does not include the planned work, critical path, and detailed\ndescriptions of activities does not fulfill its primary purpose, which is to help the project leader\nmanage the project, identify schedule delays, and ensure completion of all tasks in a timely\nmanner. Considering the complexity of implementing FDCC settings throughout the IRS, we\nbelieve a more complete Work Breakdown Structure could have improved the planning and the\ntimeliness of implementing the FDCC settings.\nWe attribute the inadequate testing controls and Work Breakdown Structure to a lack of basic\nproject management skills and qualifications. The project managers assigned to this project did\nnot have the necessary skills to lead a project of this complexity.\n\nRecommendations\nTo ensure that basic project management practices are followed, the Chief Technology Officer\nshould:\nRecommendation 1: Provide training to the FDCC project managers to ensure their project\nmanagement skills and qualifications are sufficient.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Chief Technology Officer will provide the FDCC project leaders with project\n       management training to ensure their skills and qualifications are sufficient.\nRecommendation 2: Instruct the FDCC project leaders to develop and maintain an accurate\nmaster control list of all applications that require testing. The master control list should be\nfrequently updated to account for software applications that are developed in-house or acquired\nfrom vendors. The master control list should also be updated with the test results for each\napplication to verify that each application is tested and to maintain an accurate and timely\ninformation base for all test results.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and will\n       ensure the master control list of applications is maintained and updated to account for\n       software applications that are developed in-house or acquired from a vendor. The master\n       control list will be updated with test results to indicate which applications have been\n       tested and will be maintained as an accurate and timely information base.\n\n\n\n\n                                                                                              Page 8\n\x0c                              Progress Has Been Slow in Implementing\n                       Federal Security Configurations on Employee Computers\n\n\n\nAn Automated Monitoring Tool Was Not Implemented to Detect\nChanges to Workstation Security Settings\nLong before the issuance of FDCC requirements by the OMB, the IRS had been required to\nmonitor the security configuration settings on IRS workstations. The task of monitoring\ncomputer settings is paramount to ensure that once secure settings have been implemented those\nsettings have not been improperly changed. In a\nprevious review13 of the IRS common operating\nenvironment, we reported that security settings were not         The IRS spends an average of\nconsistently maintained once installed. In that report we        $2 million each year to perform\nfound that, of our sample of 102 computers with the              monthly scans on a sample of\ncommon operating environment image installed, only                    computers to detect\n                                                                    unauthorized changes to\n42 were secure. The remaining 60 computers complied                      security settings.\nwith less than 90 percent of the computer settings\nprescribed by the IRS or contained at least 1 high-risk\nvulnerability that could be exploited to either take control of the computer or render it unusable.\nWe attributed the weak security settings to system administrators because they are the only\npersons authorized to change the security settings on employee workstations.\nTo detect and monitor changes to its common operating environment, the IRS uses the Windows\nPolicy Checker14 product. This tool is used to perform monthly scans on a sample of computers\nto detect unauthorized changes to security settings. However, the tool is labor intensive and the\nModernization and Information Technology Services Division spends an average of $2 million\neach year to operate the tool. In May 2007, the IRS initiated the Security Compliance Posture\nMonitoring and Reporting Project to develop an automated enterprise approach to monitor\nsecurity settings and manage information technology assets. Part of the project included\nacquiring an automated tool, validated by the National Institute of Standards and Technology, to\nmonitor configuration settings. The tool would be used to automatically scan computers\nthroughout the IRS network.\nThe OMB created a greater sense of urgency when it required15 Federal Government agencies to\nmonitor the FDCC settings by acquiring and using a tool compliant with the National Institute of\nStandards and Technology\xe2\x80\x99s Security Content Automation Protocol.16 The Department of the\nTreasury reinforced the OMB requirement by setting an implementation deadline of\n\n\n13\n   Secure Configurations Are Initially Established on Employee Computers, but Enhancements Could Ensure\nSecurity Is Strengthened After Implementation (Report Reference 2006-20-031, dated February 2006).\n14\n   A tool used to determine whether systems are adhering to security policies.\n15\n   Memorandum for Chief Information Officers, Establishment of Windows XP and VISTA Virtual Machine and\nProcedures for Adopting the Federal Desktop Core Configurations, dated July 31, 2007.\n16\n   A method for using specific standards to enable automated vulnerability measurement and policy compliance\nevaluation. It is used to enumerate software flaws and security-related configuration issues.\n                                                                                                         Page 9\n\x0c                           Progress Has Been Slow in Implementing\n                    Federal Security Configurations on Employee Computers\n\n\n\nJanuary 31, 2008. However, the IRS has not complied with the OMB and Department of the\nTreasury requirements and has not purchased an approved scanning tool.\nThe delay in implementing the automated monitoring tool is due to a change in acquisition\nstrategy. The IRS attempted to establish a sole-source contract to save time and costs in the\nacquisition process. However, in October 2008, the IRS Procurement Review Board rejected the\nsole-source procurement strategy and required the IRS to use an open-competition procurement.\nThe IRS\xe2\x80\x99 initial plan was to complete the Security Compliance Posture Monitoring and\nReporting acquisition and deploy the monitoring tool in December 2009. However, the change\nin acquisition strategy will cause an additional delay. As of October 1, 2008, the IRS had not\ncompleted a request for proposal, which is a crucial first step in acquiring the product.\nUntil an automated enterprise monitoring tool is implemented, the IRS will 1) be vulnerable to\nunauthorized changes to its security settings, 2) be noncompliant with the OMB and Department\nof the Treasury requirements, and 3) incur maintenance costs for its outdated and labor-intensive\nWindows Policy Checker tool. In addition, it will be unable to monitor compliance with the\nFDCC settings throughout the organization. These risks increase the need to acquire a\nmonitoring tool in a more timely manner than can be achieved through the Security Compliance\nPosture Monitoring and Reporting acquisition.\nA viable alternative to the current acquisition strategy might be the General Services\nAdministration\xe2\x80\x99s Government-wide blanket purchase agreement, referred to as the SmartBuy\nProgram. The SmartBuy Program allows Federal Government agencies to select from an\napproved list of information technology vendors that provide security products with the ability to\nmonitor and report on FDCC compliance. The security products have been validated as\ncompliant with the National Institute of Standards and Technology\xe2\x80\x99s Security Content\nAutomation Protocol guidelines.\n\nRecommendation\nRecommendation 3: The Chief Technology Officer should conduct an analysis of the costs\nand benefits of separating the purchase of the automated monitoring tool from the Security\nCompliance Posture Monitoring and Reporting acquisition. The cost-benefit analysis would\nallow the IRS to decide whether to purchase the tool from the General Services Administration\xe2\x80\x99s\nSmartBuy Program.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief\n       Technology Officer will perform a cost-benefit analysis and request senior Modernization\n       and Information Technology Services Division leadership to consider whether the\n       purchase of a separate monitoring tool through the General Services Administration\xe2\x80\x99s\n       SmartBuy Program would be in the IRS\xe2\x80\x99 best interest.\n\n\n                                                                                          Page 10\n\x0c                               Progress Has Been Slow in Implementing\n                        Federal Security Configurations on Employee Computers\n\n\n\nSoftware Contracts Were Not Modified to Ensure Software\nAcquisitions Operate Properly With Federal Desktop Core\nConfiguration Settings\nThe Federal Acquisition Regulation requires Federal Government agencies to include specific\nlanguage in contracts for information technology purchases. When acquiring information\ntechnology, agencies must include the appropriate information technology security policies and\nrequirements, including the common security configurations available from the National Institute\nof Standards and Technology.\nThe Department of the Treasury also requires the IRS to include specific FDCC language in\nsoftware contracts. The new contract language recommended by the Department of the Treasury\nis intended to ensure that new acquisitions include common security configurations and that\ninformation technology providers certify that their products operate effectively using these\nconfigurations. The Department of the Treasury specified the following recommended language\nas a guide for agencies to use in their contracts:\n         \xe2\x80\x9ca) The provider of information technology shall certify applications are fully functional\n         and operate correctly as intended on systems using the Federal Desktop Core\n         Configuration (FDCC). This includes Internet Explorer 7 configured to operate on\n         Windows XP and Vista.\n         b) The standard installation, operation, maintenance, updates, and/or patching17 of\n         software shall not alter the configuration settings from the approved FDCC\n         configuration\xe2\x80\xa6\xe2\x80\x9d\nThe Department of the Treasury guidance was issued in June 2007. However, the IRS has not\nfully adopted the new FDCC contract language. We identified 27 (90 percent) of 30 contracts\nfor new software products, including software upgrades and maintenance contracts, which did\nnot include the required FDCC contract language. The three contracts that included the new\nFDCC language were uniquely processed because the contracts were sent by IRS business units\ndirectly to the Cybersecurity office for review rather than to the IRS Procurement Division.18\nThe Cybersecurity office ensured the FDCC language was incorporated into the contracts prior\nto the contracts being forwarded to the Procurement Division. The 27 contracts that did not\ninclude the required FDCC language were not forwarded to the Cybersecurity office for review.\nThese contracts totaled more than $15.8 million and included software products such as:\n     \xe2\x80\xa2   VMware Workstation \xe2\x80\x93 A management tool for system administrators to enable control,\n         configuration, monitoring, and troubleshooting a virtual server.\n\n17\n   A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n18\n   The Procurement Division is part of the IRS Agency-Wide Shared Services Division.\n                                                                                                            Page 11\n\x0c                           Progress Has Been Slow in Implementing\n                    Federal Security Configurations on Employee Computers\n\n\n\n   \xe2\x80\xa2   Brava! Enterprise \xe2\x80\x93 Software that provides secure content visualization and annotation\n       for the IRS\xe2\x80\x99 internal and external web sites.\n   \xe2\x80\xa2   SecureDoc \xe2\x80\x93 Software that is used for full disk encryption to protect sensitive\n       information stored on laptop and desktop computers.\nThe IRS did not place sufficient emphasis on implementing the requirement to adopt the FDCC\ncontract language into its contracts. As a result, the IRS has not contractually obligated vendors\nto provide applications and software products that operate as intended with the FDCC. As a\nresult, the IRS may be procuring software products that are not secure and would need to expend\nadditional resources to correct deficiencies. If acquired software products are tested and found to\nbe incompatible with the FDCC, the IRS would not have adequate recourse and the vendor\nwould have the right to demand payment.\n\nRecommendation\nRecommendation 4: The Chief Technology Officer should direct the Cybersecurity office to\ncoordinate with the Procurement Division and prioritize the work that is necessary to include the\nrequired FDCC contract language in information technology acquisitions.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and will\n       ensure affected stakeholders coordinate and prioritize the work that is necessary to issue\n       an agency-wide policy and interim acquisition procedures that incorporate the FDCC\n       contract language into information technology acquisitions.\n\n\n\n\n                                                                                           Page 12\n\x0c                              Progress Has Been Slow in Implementing\n                       Federal Security Configurations on Employee Computers\n\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has made adequate\nprogress in implementing required Federal secure configurations on employee computers. These\nFederal secure configurations are referred to as the FDCC. To accomplish our objective, we:\nI.      Identified the FDCC security settings that the National Institute of Standards and\n        Technology1 published for Federal Government computers running Windows XP and\n        determined the cause for any delays in implementing the settings.\n        A. Reviewed the National Institute of Standards and Technology checklist to identify the\n           required FDCC settings. We determined when the checklist was finalized and made\n           available to Federal Government agencies.\n        B. Reviewed the Internal Revenue Manual and compared it to the FDCC settings to\n           determine how many FDCC settings were established in IRS procedures prior to the\n           FDCC being required.\n        C. Evaluated the stability of the National Institute of Standards and Technology\n           checklist and identified changes that were made after initial publication of the\n           checklist.\n        D. Interviewed End User Equipment and Services organization project personnel to\n           determine whether the IRS completed an initial FDCC compliance assessment and\n           established a project team in a timely manner.\n        E. Interviewed project leaders to determine whether the FDCC project team had\n           adequate executive leadership and oversight during the early phases of the project.\nII.     Evaluated the End User Equipment and Services organization project team\xe2\x80\x99s testing\n        methodology to determine whether the current testing is adequate to adopt the highest\n        possible number of FDCC settings in a timely manner.\n        A. Interviewed the End User Equipment and Services organization lab team and\n           obtained a walk-through of their testing methodology. We determined whether the\n\n\n\n\n1\n The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n                                                                                                        Page 13\n\x0c                               Progress Has Been Slow in Implementing\n                        Federal Security Configurations on Employee Computers\n\n\n\n             current testing methodology will identify potential problems if the FDCC settings are\n             installed in the common operating environment.2 We determined:\n             1. The number of FDCC settings that have been tested and approved.\n             2. The scope of the testing.\n             3. How the applications are tested, i.e., tested in isolation or while operating\n                simultaneously with other applications running in the user environment.\n             4. Whether the test environments used for testing are representative of actual IRS\n                operating environments.\n             5. How the settings are passed or deemed acceptable for the IRS common operating\n                environment.\n             6. The number of settings implemented, via Active Directory, on IRS computers.\n        B. Interviewed project personnel to determine why the first testing methodology was\n           unsuccessful and how much of a delay the failed test methodology caused.\n        C. Evaluated the Work Breakdown Structure to determine whether the timetable for\n           testing all FDCC settings is feasible.\n        D. Analyzed test reports to verify that the test team documented and analyzed results.\n        E. Determined how the Security Content Automation Protocol3 testing tool operates and\n           its effect on the FDCC implementation efforts.\n        F. Evaluated the procedures the lab follows to control and address the problems/issues\n           that are identified in the test environment.\nIII.    Evaluated the implementation of FDCC settings in the IRS computing environment to\n        determine whether the IRS installed the settings that were tested and approved by the\n        End User Equipment and Services organization project team.\n        A. Interviewed project team personnel and reviewed documentation to determine\n           whether the IRS has made progress in implementing the FDCC settings.\n        B. Evaluated justifications for FDCC deviations to determine whether they were\n           warranted.\n\n2\n  To ensure consistency across the IRS network and improve security, the IRS created the common operating\nenvironment, which is a standardized set of commercial off-the-shelf and internally developed applications to\nsupport the needs of all IRS employees using Microsoft Windows. The common operating environment also allows\nthe IRS to control security configuration settings and software on its workstations by changing one master template\nand then installing it on all computer workstations throughout the agency.\n3\n  A method for using specific standards to enable automated vulnerability measurement and policy compliance\nevaluation. It is used to enumerate software flaws and security-related configuration issues.\n                                                                                                          Page 14\n\x0c                         Progress Has Been Slow in Implementing\n                  Federal Security Configurations on Employee Computers\n\n\n\nIV.   Evaluated the controls and tools used by the End User Equipment and Services\n      organization to monitor compliance with the FDCC settings that have been put in place.\n      A. Determined whether the IRS had taken corrective actions to address the issues in our\n         audit report Secure Configurations Are Initially Established on Employee Computers,\n         but Enhancements Could Ensure Security Is Strengthened After Implementation\n         (Reference Number 2006-20-031, dated February 2006).\n      B. Interviewed the project team to determine whether the IRS had automated the\n         enforcement of the FDCC settings.\n      C. Interviewed project personnel to determine how the End User Equipment and\n         Services organization restricts administration of the configuration settings.\n      D. Determined whether the IRS established a process to ensure acquisitions made after\n         June 2007 include the FDCC settings and that information technology vendors certify\n         that their products operate effectively using the configurations.\n\n\n\n\n                                                                                         Page 15\n\x0c                          Progress Has Been Slow in Implementing\n                   Federal Security Configurations on Employee Computers\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nStephen Mullins, Director\nKent Sagara, Acting Director\nW. Allen Gray, Audit Manager\nCari Fogle, Senior Auditor\nGeorge Franklin, Senior Auditor\nBret Hunter, Senior Auditor\nEsther Wilson, Senior Auditor\n\n\n\n\n                                                                                        Page 16\n\x0c                         Progress Has Been Slow in Implementing\n                  Federal Security Configurations on Employee Computers\n\n\n\n                                                                         Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nAssociate Chief Information Officer, Cybersecurity OS:CIO:C\nAssociate Chief Information Officer, End User Equipment and Services OS:CIO:EUES\nDirector, Stakeholder Management Division OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Associate Chief Information Officer, Cybersecurity OS:CIO:C\n       Associate Chief Information Officer, End User Equipment and Services OS:CIO:EUES\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                                 Page 17\n\x0c             Progress Has Been Slow in Implementing\n      Federal Security Configurations on Employee Computers\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 18\n\x0c       Progress Has Been Slow in Implementing\nFederal Security Configurations on Employee Computers\n\n\n\n\n                                                   Page 19\n\x0c       Progress Has Been Slow in Implementing\nFederal Security Configurations on Employee Computers\n\n\n\n\n                                                   Page 20\n\x0c       Progress Has Been Slow in Implementing\nFederal Security Configurations on Employee Computers\n\n\n\n\n                                                   Page 21\n\x0c'